From 118cf7b94c16d6f81aa256c35bb02f9a0e3b3bb2 Mon Sep 17 00:00:00 2001
From: Alexandre Skrzyniarz <alexandre.skrzyniarz@laposte.net>
Date: Wed, 27 Mar 2024 17:29:57 +0100
Subject: [PATCH] factorise code in pam_account_password_unix_remember

---
 .../ansible/debian.yml                        |  48 ------
 .../ansible/shared.yml                        |  62 +++++++-
 .../ansible/ubuntu.yml                        |  48 ------
 .../bash/debian.sh                            |   5 -
 .../bash/shared.sh                            |  15 +-
 .../bash/ubuntu.sh                            |   5 -
 .../oval/debian.xml                           |   1 -
 .../oval/shared.xml                           | 144 +++++++++---------
 .../oval/ubuntu.xml                           |  28 ----
 9 files changed, 141 insertions(+), 215 deletions(-)
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/debian.yml
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/ubuntu.yml
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/debian.sh
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/ubuntu.sh
 delete mode 120000 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/debian.xml
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/ubuntu.xml

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/debian.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/debian.yml
deleted file mode 100644
index 092172904284..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/debian.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-# platform = multi_platform_debian
-# reboot = false
-# strategy = configure
-# complexity = low
-# disruption = medium
-
-{{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}}
-
-# Modified version of macro ansible_ensure_pam_module_option(pam_file, group, control, module, option, value='', after_match='').
-# The original macro is designed to search/replace also the control field thus treating the field as a constant and escaping the regex.
-# Here we adapt the code to allow using regex on the control field.
-
-{{% set pam_file='/etc/pam.d/common-password' %}}
-{{% set group='password' %}}
-{{% set control='\[success=[A-Za-z0-9].*\]' %}}
-{{% set module='pam_unix.so' %}}
-{{% set option='remember' %}}
-{{% set value='{{ var_password_pam_unix_remember }}' %}}
-
-- name: '{{{ rule_title }}} - Check if the required PAM module option is present in {{{ pam_file }}}'
-  ansible.builtin.lineinfile:
-    path: "{{{ pam_file }}}"
-    regexp: ^\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s*.*\s{{{ option }}}\b
-    state: absent
-  check_mode: true
-  changed_when: false
-  register: result_pam_module_{{{ option }}}_option_present
-
-- name: '{{{ rule_title }}} - Ensure the "{{{ option }}}" PAM option for "{{{ module }}}" is included in {{{ pam_file }}}'
-  ansible.builtin.lineinfile:
-    path: "{{{ pam_file }}}"
-    backrefs: true
-    regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}.*)
-    line: \1 {{{ option }}}={{{ value }}}
-    state: present
-  register: result_pam_{{{ option }}}_add
-  when:
-    - result_pam_module_{{{ option }}}_option_present.found == 0
-
-- name: '{{{ rule_title }}} - Ensure the required value for "{{{ option }}}" PAM option from "{{{ module }}}" in {{{ pam_file }}}'
-  ansible.builtin.lineinfile:
-    path: "{{{ pam_file }}}"
-    backrefs: true
-    regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s+.*)({{{ option }}})=[0-9a-zA-Z]+\s*(.*)
-    line: \1\2={{{ value }}} \3
-  register: result_pam_{{{ option }}}_edit
-  when:
-    - result_pam_module_{{{ option }}}_option_present.found > 0
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml
index 658f8a3e475f..34ffb3a1d72e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml
@@ -1,21 +1,69 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_all
 # reboot = false
 # strategy = configure
 # complexity = low
 # disruption = medium
 
-{{% if product in [ "sle12", "sle15" ] %}}
-{{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
+{{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}}
+
+{{% if "ubuntu" in product or "debian" in product %}}
+{{% set pam_file='/etc/pam.d/common-password' %}}
+{{% set group='password' %}}
+{{% set control='\[success=[A-Za-z0-9].*\]' %}}
+{{% set module='pam_unix.so' %}}
+{{% set option='remember' %}}
+{{% set value='{{ var_password_pam_unix_remember }}' %}}
+{{% elif product in [ "sle12", "sle13" ] %}}
+{{% set pam_file='/etc/pam.d/common-password' %}}
 {{% else %}}
-{{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}
+{{% set pam_file='/etc/pam.d/system-auth' %}}
 {{% endif %}}
 
-{{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}}
+{{% if "ubuntu" in product or "debian" in product %}}
+
+# Modified version of macro ansible_ensure_pam_module_option(pam_file, group, control, module, option, value='', after_match='').
+# The original macro is designed to search/replace also the control field thus treating the field as a constant and escaping the regex.
+# Here we adapt the code to allow using regex on the control field.
+
+- name: '{{{ rule_title }}} - Check if the required PAM module option is present in {{{ pam_file }}}'
+  ansible.builtin.lineinfile:
+    path: "{{{ pam_file }}}"
+    regexp: ^\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s*.*\s{{{ option }}}\b
+    state: absent
+  check_mode: true
+  changed_when: false
+  register: result_pam_module_{{{ option }}}_option_present
+
+- name: '{{{ rule_title }}} - Ensure the "{{{ option }}}" PAM option for "{{{ module }}}" is included in {{{ pam_file }}}'
+  ansible.builtin.lineinfile:
+    path: "{{{ pam_file }}}"
+    backrefs: true
+    regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}.*)
+    line: \1 {{{ option }}}={{{ value }}}
+    state: present
+  register: result_pam_{{{ option }}}_add
+  when:
+    - result_pam_module_{{{ option }}}_option_present.found == 0
 
-{{{ ansible_pam_pwhistory_enable(accounts_password_pam_unix_remember_file,
+- name: '{{{ rule_title }}} - Ensure the required value for "{{{ option }}}" PAM option from "{{{ module }}}" in {{{ pam_file }}}'
+  ansible.builtin.lineinfile:
+    path: "{{{ pam_file }}}"
+    backrefs: true
+    regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s+.*)({{{ option }}})=[0-9a-zA-Z]+\s*(.*)
+    line: \1\2={{{ value }}} \3
+  register: result_pam_{{{ option }}}_edit
+  when:
+    - result_pam_module_{{{ option }}}_option_present.found > 0
+
+
+{{% else %}}
+
+{{{ ansible_pam_pwhistory_enable(pam_file,
                                  'requisite',
                                  '^password.*requisite.*pam_pwquality\.so') }}}
 
-{{{ ansible_pam_pwhistory_parameter_value(accounts_password_pam_unix_remember_file,
+{{{ ansible_pam_pwhistory_parameter_value(pam_file,
                                           'remember',
                                           '{{ var_password_pam_unix_remember }}') }}}
+
+{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/ubuntu.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/ubuntu.yml
deleted file mode 100644
index 1532858150a5..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/ubuntu.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-# platform = multi_platform_ubuntu
-# reboot = false
-# strategy = configure
-# complexity = low
-# disruption = medium
-
-{{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}}
-
-# Modified version of macro ansible_ensure_pam_module_option(pam_file, group, control, module, option, value='', after_match='').
-# The original macro is designed to search/replace also the control field thus treating the field as a constant and escaping the regex.
-# Here we adapt the code to allow using regex on the control field.
-
-{{% set pam_file='/etc/pam.d/common-password' %}}
-{{% set group='password' %}}
-{{% set control='\[success=[A-Za-z0-9].*\]' %}}
-{{% set module='pam_unix.so' %}}
-{{% set option='remember' %}}
-{{% set value='{{ var_password_pam_unix_remember }}' %}}
-
-- name: '{{{ rule_title }}} - Check if the required PAM module option is present in {{{ pam_file }}}'
-  ansible.builtin.lineinfile:
-    path: "{{{ pam_file }}}"
-    regexp: ^\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s*.*\s{{{ option }}}\b
-    state: absent
-  check_mode: true
-  changed_when: false
-  register: result_pam_module_{{{ option }}}_option_present
-
-- name: '{{{ rule_title }}} - Ensure the "{{{ option }}}" PAM option for "{{{ module }}}" is included in {{{ pam_file }}}'
-  ansible.builtin.lineinfile:
-    path: "{{{ pam_file }}}"
-    backrefs: true
-    regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}.*)
-    line: \1 {{{ option }}}={{{ value }}}
-    state: present
-  register: result_pam_{{{ option }}}_add
-  when:
-    - result_pam_module_{{{ option }}}_option_present.found == 0
-
-- name: '{{{ rule_title }}} - Ensure the required value for "{{{ option }}}" PAM option from "{{{ module }}}" in {{{ pam_file }}}'
-  ansible.builtin.lineinfile:
-    path: "{{{ pam_file }}}"
-    backrefs: true
-    regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s+.*)({{{ option }}})=[0-9a-zA-Z]+\s*(.*)
-    line: \1\2={{{ value }}} \3
-  register: result_pam_{{{ option }}}_edit
-  when:
-    - result_pam_module_{{{ option }}}_option_present.found > 0
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/debian.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/debian.sh
deleted file mode 100644
index e9352c4bc632..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/debian.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-# platform = multi_platform_debian
-
-{{{ bash_instantiate_variables("var_password_pam_unix_remember") }}}
-
-{{{ bash_ensure_pam_module_options('/etc/pam.d/common-password', 'password', '\[success=[[:alnum:]].*\]', 'pam_unix.so', 'remember', "$var_password_pam_unix_remember", "$var_password_pam_unix_remember") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
index c830c07aa2eb..d012e29c4151 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
@@ -1,12 +1,18 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_all
 
-{{% if product in [ "sle12", "sle15" ] %}}
+{{{ bash_instantiate_variables("var_password_pam_unix_remember") }}}
+
+{{% if "debian" in product or "ubuntu" in product or product in ["sle12", "sle15" ] %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
 {{% else %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}
 {{% endif %}}
 
-{{{ bash_instantiate_variables("var_password_pam_unix_remember") }}}
+{{% if "debian" in product or "ubuntu" in product %}}
+
+{{{ bash_ensure_pam_module_options(accounts_password_pam_unix_remember_file, 'password', '\[success=[[:alnum:]].*\]', 'pam_unix.so', 'remember', "$var_password_pam_unix_remember", "$var_password_pam_unix_remember") }}}
+
+{{% else %}}
 
 {{{ bash_pam_pwhistory_enable(accounts_password_pam_unix_remember_file,
                               'requisite',
@@ -15,3 +21,6 @@
 {{{ bash_pam_pwhistory_parameter_value(accounts_password_pam_unix_remember_file,
                                        'remember',
                                        "$var_password_pam_unix_remember") }}}
+
+{{% endif %}}
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/ubuntu.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/ubuntu.sh
deleted file mode 100644
index dedfc48a1e92..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/ubuntu.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-# platform = multi_platform_ubuntu
-
-{{{ bash_instantiate_variables("var_password_pam_unix_remember") }}}
-
-{{{ bash_ensure_pam_module_options('/etc/pam.d/common-password', 'password', '\[success=[[:alnum:]].*\]', 'pam_unix.so', 'remember', "$var_password_pam_unix_remember", "$var_password_pam_unix_remember") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/debian.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/debian.xml
deleted file mode 120000
index 70f08ba8db12..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/debian.xml
+++ /dev/null
@@ -1 +0,0 @@
-ubuntu.xml
\ No newline at end of file
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
index eae79c23ea69..945e014deb0a 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
@@ -1,4 +1,4 @@
-{{% if product in [ "sle12", "sle15" ] %}}
+{{% if product in [ "sle12", "sle15" ] or "debian" in product or "ubuntu" in product %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
 {{% else %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}
@@ -9,150 +9,154 @@
     {{{ oval_metadata("The passwords to remember should be set correctly.") }}}
     <criteria operator="OR" comment="Check if pam_pwhistory.so or pam_unix.so are configured">
       <criteria operator="AND" comment="Check if pam_pwhistory.so is properly configured">
-        <!--
-          pam_pwhistory.so parameters can be defined directly in pam files or, in newer versions,
-          in /etc/security/pwhistory.conf. The last is the recommended option when available. Also,
-          is the option used by auselect tool. However, regardless the approach, a minimal
-          declaration is common in pam files. -->
-        <criterion test_ref="test_accounts_password_pam_unix_remember"
-          comment="pam_pwhistory.so is properly defined in password section of PAM file"/>
-
-        <!--
-          pam_pwhistory.so parameters should be defined in /etc/security/pwhistory.conf whenever
-          possible. But due to backwards compatibility, they are also allowed in pam files directly.
-          In case they are defined in both places, pam files have precedence and this may confuse
-          the assessment. The following tests ensure only one option is used. Note that if
-          pwhistory.conf is available, authselect tool will preserve PAM files from parameters
-          definitions in favor of /etc/security/pwhistory.conf. -->
-        <criteria operator="OR"
-          comment="Check the expected value for pam_pwhistory.so remember parameter">
-          <criteria operator="AND"
-            comment="Check the pam_pwhistory.so remember parameter is only in PAM file">
-            <criterion
-              test_ref="test_accounts_password_pam_unix_remember_pamd"
-              comment="Check the remember parameter in password section of PAM file"/>
-            <criterion
-              test_ref="test_accounts_password_pam_unix_remember_no_pwhistory_conf"
-              comment="Check the pam_pwhistory.so remember parameter is absent in pwhistory.conf"/>
-          </criteria>
-          <criteria operator="AND"
-            comment="Check the pam_pwhistory.so remember parameter is only in pwhistory.conf file">
-            <criterion
-              test_ref="test_accounts_password_pam_unix_remember_no_pamd"
-              comment="Check the pam_pwhistory.so remember parameter is absent in PAM file"/>
-            <criterion
-              test_ref="test_accounts_password_pam_unix_remember_pwhistory_conf"
-              comment="Check the remember parameter in /etc/security/pwhistory.conf"/>
-          </criteria>
-        </criteria>
+	<!--
+	    pam_pwhistory.so parameters can be defined directly in pam files or, in newer versions,
+	    in /etc/security/pwhistory.conf. The last is the recommended option when available. Also,
+	    is the option used by auselect tool. However, regardless the approach, a minimal
+	    declaration is common in pam files. -->
+	<criterion test_ref="test_accounts_password_pam_unix_remember"
+		   comment="pam_pwhistory.so is properly defined in password section of PAM file"/>
+
+	<!--
+	    pam_pwhistory.so parameters should be defined in /etc/security/pwhistory.conf whenever
+	    possible. But due to backwards compatibility, they are also allowed in pam files directly.
+	    In case they are defined in both places, pam files have precedence and this may confuse
+	    the assessment. The following tests ensure only one option is used. Note that if
+	    pwhistory.conf is available, authselect tool will preserve PAM files from parameters
+	    definitions in favor of /etc/security/pwhistory.conf. -->
+	<criteria operator="OR"
+		  comment="Check the expected value for pam_pwhistory.so remember parameter">
+	  <criteria operator="AND"
+		    comment="Check the pam_pwhistory.so remember parameter is only in PAM file">
+	    <criterion
+		test_ref="test_accounts_password_pam_unix_remember_pamd"
+		comment="Check the remember parameter in password section of PAM file"/>
+	    <criterion
+		test_ref="test_accounts_password_pam_unix_remember_no_pwhistory_conf"
+		comment="Check the pam_pwhistory.so remember parameter is absent in pwhistory.conf"/>
+	  </criteria>
+	  <criteria operator="AND"
+		    comment="Check the pam_pwhistory.so remember parameter is only in pwhistory.conf file">
+	    <criterion
+		test_ref="test_accounts_password_pam_unix_remember_no_pamd"
+		comment="Check the pam_pwhistory.so remember parameter is absent in PAM file"/>
+	    <criterion
+		test_ref="test_accounts_password_pam_unix_remember_pwhistory_conf"
+		comment="Check the remember parameter in /etc/security/pwhistory.conf"/>
+	  </criteria>
+	</criteria>
       </criteria>
       <criterion test_ref="test_accounts_password_pam_unix_remember_legacy"
-        comment="Remember parameter of pam_unix.so is properly configured"/>
+		 comment="Remember parameter of pam_unix.so is properly configured"/>
     </criteria>
   </definition>
 
+  <external_variable comment="number of passwords that should be remembered" datatype="int" id="var_password_pam_unix_remember" version="1" />
+
   <!-- is pam_pwhistory.so enabled? -->
   <ind:textfilecontent54_test id="test_accounts_password_pam_unix_remember"
-    check="all" version="1" comment="Check pam_pwhistory.so presence in PAM file">
+			      check="all" version="1" comment="Check pam_pwhistory.so presence in PAM file">
     <ind:object object_ref="object_accounts_password_pam_unix_remember"/>
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_accounts_password_pam_unix_remember"
-    version="1">
+				version="1">
     <ind:filepath>{{{ accounts_password_pam_unix_remember_file }}}</ind:filepath>
     <ind:pattern var_ref="var_accounts_password_pam_unix_remember_module_regex"
-      var_check="at least one" operation="pattern match"/>
+		 var_check="at least one" operation="pattern match"/>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
   <!-- is the pam_pwhistory.so remember parameter correctly defined only in PAM files? -->
   <ind:textfilecontent54_test
-    id="test_accounts_password_pam_unix_remember_pamd" check="all" version="1"
-    comment="Check remember parameter is present and correct in PAM file">
+      id="test_accounts_password_pam_unix_remember_pamd" check="all" version="1"
+      comment="Check remember parameter is present and correct in PAM file">
     <ind:object object_ref="object_accounts_password_pam_unix_remember_pamd"/>
     <ind:state state_ref="state_accounts_password_pam_unix_remember"/>
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object
-    id="object_accounts_password_pam_unix_remember_pamd" version="1">
+      id="object_accounts_password_pam_unix_remember_pamd" version="1">
     <ind:filepath>{{{ accounts_password_pam_unix_remember_file }}}</ind:filepath>
     <ind:pattern var_check="at least one" operation="pattern match"
-      var_ref="var_accounts_password_pam_unix_remember_pam_param_regex"/>
+		 var_ref="var_accounts_password_pam_unix_remember_pam_param_regex"/>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_state
-    id="state_accounts_password_pam_unix_remember" version="1">
+      id="state_accounts_password_pam_unix_remember" version="1">
     <ind:subexpression datatype="int" operation="greater than or equal"
-      var_ref="var_password_pam_unix_remember"/>
+		       var_ref="var_password_pam_unix_remember"/>
   </ind:textfilecontent54_state>
 
   <external_variable id="var_password_pam_unix_remember" version="1"
-    datatype="int" comment="number of passwords that should be remembered"/>
+		     datatype="int" comment="number of passwords that should be remembered"/>
+  <external_variable comment="number of passwords that should be remembered" datatype="int" id="var_password_pam_unix_remember" version="1" />
 
   <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
-    id="test_accounts_password_pam_unix_remember_no_pwhistory_conf"
-    comment="Check the absence of remember parameter in /etc/security/pwhistory.conf">
+			      id="test_accounts_password_pam_unix_remember_no_pwhistory_conf"
+			      comment="Check the absence of remember parameter in /etc/security/pwhistory.conf">
     <ind:object
-      object_ref="object_accounts_password_pam_unix_remember_param_conf"/>
+	object_ref="object_accounts_password_pam_unix_remember_param_conf"/>
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object
-    id="object_accounts_password_pam_unix_remember_param_conf" version="1"
-    comment="Collect the pam_pwhistory.so remember parameter from /etc/security/pwhistory.conf">
+      id="object_accounts_password_pam_unix_remember_param_conf" version="1"
+      comment="Collect the pam_pwhistory.so remember parameter from /etc/security/pwhistory.conf">
     <ind:filepath operation="pattern match">^/etc/security/pwhistory.conf$</ind:filepath>
     <ind:pattern operation="pattern match"
-      var_ref="var_accounts_password_pam_unix_remember_conf_param_regex"/>
+		 var_ref="var_accounts_password_pam_unix_remember_conf_param_regex"/>
     <ind:instance datatype="int" operation="equals">1</ind:instance>
   </ind:textfilecontent54_object>
 
   <!-- is the pam_pwhistory.so remember parameter correctly defined only in pwhistory.conf? -->
   <ind:textfilecontent54_test
-    id="test_accounts_password_pam_unix_remember_no_pamd" version="1"
-    check="all" check_existence="none_exist"
-    comment="Check remember parameter is absent in PAM file">
+      id="test_accounts_password_pam_unix_remember_no_pamd" version="1"
+      check="all" check_existence="none_exist"
+      comment="Check remember parameter is absent in PAM file">
     <ind:object object_ref="object_accounts_password_pam_unix_remember_pamd"/>
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_test
-    id="test_accounts_password_pam_unix_remember_pwhistory_conf" version="1"
-    check="all" check_existence="all_exist"
-    comment="Check remember parameter is present and correct in /etc/security/pwhistory.conf">
+      id="test_accounts_password_pam_unix_remember_pwhistory_conf" version="1"
+      check="all" check_existence="all_exist"
+      comment="Check remember parameter is present and correct in /etc/security/pwhistory.conf">
     <ind:object object_ref="object_accounts_password_pam_unix_remember_param_conf"/>
     <ind:state state_ref="state_accounts_password_pam_unix_remember"/>
   </ind:textfilecontent54_test>
 
   <!-- variables used to check the module implementation -->
   <local_variable id="var_accounts_password_pam_unix_remember_module_regex"
-    datatype="string" version="1"
-    comment="The regex is to confirm the pam_pwhistory.so module is enabled">
+		  datatype="string" version="1"
+		  comment="The regex is to confirm the pam_pwhistory.so module is enabled">
     <literal_component>^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so.*$</literal_component>
   </local_variable>
 
   <!-- variables used to collect the remember parameter value -->
   <local_variable id="var_accounts_password_pam_unix_remember_pam_param_regex"
-    datatype="string" version="1"
-    comment="The regex is to collect the pam_pwhistory.so remember paramerter from PAM files">
+		  datatype="string" version="1"
+		  comment="The regex is to collect the pam_pwhistory.so remember paramerter from PAM files">
     <literal_component>^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$</literal_component>
   </local_variable>
 
   <local_variable id="var_accounts_password_pam_unix_remember_conf_param_regex"
-    datatype="string" version="1"
-    comment="The regex is to collect the pam_pwhistory.so remember paramerter in pwhistory.conf">
+		  datatype="string" version="1"
+		  comment="The regex is to collect the pam_pwhistory.so remember paramerter in pwhistory.conf">
     <literal_component>^\s*remember\s*=\s*([0-9]+)</literal_component>
   </local_variable>
 
   <!-- Check the pam_unix.so remember case -->
   <ind:textfilecontent54_test id="test_accounts_password_pam_unix_remember_legacy" version="1"
-    check="all" check_existence="all_exist"
-    comment="Test if remember attribute of pam_unix.so is set correctly in /etc/pam.d/system-auth">
+			      check="all" check_existence="all_exist"
+			      comment="Test if remember attribute of pam_unix.so is set correctly in {{{ accounts_password_pam_unix_remember_file }}}">
     <ind:object object_ref="object_accounts_password_pam_unix_remember_legacy" />
     <ind:state state_ref="state_accounts_password_pam_unix_remember" />
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_accounts_password_pam_unix_remember_legacy" version="1">
-    <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
-    <ind:pattern operation="pattern match">^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*remember=([0-9]*).*$</ind:pattern>
+    <ind:filepath>{{{ accounts_password_pam_unix_remember_file }}}</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*password\s+(?:(?:sufficient)|(?:required)|(?:\[.*\]))\s+pam_unix\.so.*remember=([0-9]*).*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
+
 </def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/ubuntu.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/ubuntu.xml
deleted file mode 100644
index 13ca8a977b79..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/ubuntu.xml
+++ /dev/null
@@ -1,28 +0,0 @@
-<def-group>
-  <definition class="compliance" id="accounts_password_pam_unix_remember" version="2">
-    {{{ oval_metadata("The passwords to remember should be set correctly.") }}}
-    <criteria comment="remember parameter of pam_unix.so is set correctly" operator="AND">
-      <criterion comment="remember parameter of pam_unix.so is set correctly" test_ref="test_accounts_password_pam_unix_remember" />
-    </criteria>
-  </definition>
-
-  <!-- Check the pam_unix.so remember case -->
-  <ind:textfilecontent54_test id="test_accounts_password_pam_unix_remember" check="all" check_existence="all_exist"
-  comment="Test if remember attribute of pam_unix.so is set correctly in /etc/pam.d/common-password" version="1">
-    <ind:object object_ref="object_accounts_password_pam_unix_remember" />
-    <ind:state state_ref="state_accounts_password_pam_unix_remember" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_accounts_password_pam_unix_remember" version="1">
-    <ind:filepath>/etc/pam.d/common-password</ind:filepath>
-    <ind:pattern operation="pattern match">^\s*password\s+\[.*\]\s+pam_unix\.so.*remember=([0-9]*).*$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_state id="state_accounts_password_pam_unix_remember" version="1">
-    <ind:subexpression datatype="int" operation="greater than or equal" var_ref="var_password_pam_unix_remember" />
-  </ind:textfilecontent54_state>
-
-  <external_variable comment="number of passwords that should be remembered" datatype="int" id="var_password_pam_unix_remember" version="1" />
-
-</def-group>